Documentation Verification Service — Department of Human Services: Assessment report

1 October 2014

Assessment Report

Australian Privacy Principles Assessment
Section 33C(1)(a) Privacy Act 1988

Assessment undertaken: March 2014
Draft report issued: August 2014
Final report issued: October 2014

Part 1 — Introduction


1.1 The Document Verification Service (DVS) is a national secure online system, which enables authorised entities to electronically verify Evidence of Identity (EOI) documents issued by a range of Australian, State and Territory government agencies.

1.2 The Attorney General’s Department (AGD) has overall responsibility for the development and oversight of the DVS.

1.3 Evidence of Identity (EOI) documents that can be checked by the DVS are produced by a number of different Australian, State and Territory government agencies. These agencies are known as DVS issuer agencies.

1.4 Authorised government agencies and some private sector organisations (required under Commonwealth law to identify their customers[1]) may use the DVS to verify relevant EOI documents. These entities are known as DVS user entities.

1.5 The DVS system uses an electronic gateway known as the Hub, which securely accepts user requests and provides verification responses from the issuer agency that either validate or reject the submitted EOI detail.

1.6 At the time of the assessment, the Hub was operated and maintained by DHS (Centrelink Master Program), however, Oakton Consulting Technology (Oakton) has signed a four year managed services contract[2] with AGD to take over Hub operations from DHS by mid-2014.

The Office of the Australian Information Commissioner’s role

1.7 The Office of the Australian Information Commissioner (OAIC) provides advice and considers privacy issues that arise from the implementation and operation of the DVS.

1.8 Privacy assessments under s 33C(1)(a) of the Privacy Act 1988 (Cth)(the Privacy Act) (called audits before 12 March 2014) are conducted to consider whether personal information held by an APP entity is being maintained and handled in accordance with the Australian Privacy Principles (APPs). This includes assessing aspects of the DVS such as issuer and user interactions with the DVS, and the operation of the Hub.

Reasons for target selection

1.9 This was the eighth audit / assessment of the DVS conducted since 2006. The assessors’ main reasons for selecting DHS as an assessment target were that it is a relatively new issuer agency, having first included the DVS as a component of its Medicare business processes in June 2012. In addition, the Medicare card is extensively available and assessors therefore expect that it will be increasingly used as EOI by individuals, over time.

Part 2 — Description of assessment


2.1 The purpose of the assessment was to determine whether DHS maintains DVS related personal information records in accordance with selected APPs referred to in s 14 and contained in Schedule 1 of the Privacy Act. Specifically, the assessment considered the issues of security and collection of solicited personal information by DHS, in its role as a DVS issuer agency regarding Medicare cards.

Objective, scope and assessment techniques

2.2 The objective of the assessment was to assess the security and collection of personal information in connection with DHS’s DVS responsibilities as an issuer of Medicare cards.

2.3 The scope of the assessment was therefore limited to those APPs involving solicited personal information collection (APP 3) and security issues (APP 11).

2.4 The scope did not include an assessment of the following:

  • APPs other than APP 3 and APP 11
  • DHS’s handling of DVS data in relation to its role as the operator of the Hub
  • records disposal or retention requirements under the Archives Act 1983 (Cth).

2.5 Assessment techniques employed by assessors included:

  • a document review of materials provided by DHS to the OAIC for assessment
  • a site inspection of DHS facilities relevant to the operation of the DVS
  • semi-structured interviews with key DHS staff to assess processes, procedures, training and staff awareness around the security and collection of personal information in the DVS, relevant to DHS’s role as a Medicare card issuer.

Timing and location

2.6 The assessors conducted the fieldwork component of the assessment on 18 and 19 March 2014, at DHS’s offices located at:

  • 25 Cowlishaw Street, Tuggeranong (Louisa Lawson Building)
  • 134 Reed Street, Tuggeranong (Main Office).

Information obtained from DHS

2.9 DHS provided several documents both prior to, during and following the fieldwork period of this assessment. A full list of this information is available at Appendix A.

Assessment opinion

2.10 The assessors consider that DHS is generally maintaining personal information records in accordance with the APPs outlined within the scope of the assessment.

2.11 The assessors identified some minor privacy risks in the report but have made no privacy recommendations.


2.12 To the extent possible, the OAIC publishes final assessment reports in full or in an abridged version on its website, It is sometimes inappropriate to publish all or part of a report because of statutory secrecy provisions or for reasons of privacy, confidentiality, security or privilege.

2.13 This report has been published in full.

Part 3 — Description of assessment target


3.1 DHS administers Medicare on behalf of the Department of Health (Health), which is responsible for developing Medicare policy.

DVS responsibilities

3.2 The DVS Hub Operations team within the Centrelink Master Program area of DHS (the Hub operator) manages both the operation of the DVS Hub, as well as all general matters in relation to the operation of the DVS across DHS program areas.

3.3 Responsibilities relating to DHS’s role as an issuer agency in the DVS, specifically in connection with Medicare card verification issues, are handled by DHS staff from the Customer and Provider Details Branch.

DHS areas relevant to the assessment

3.4 As part of its assessment, the OAIC interviewed staff from the:

  • Government Business branch (DVS Hub operations team)to gain a general overview of DHS issuer and Hub operations relevant to the DVS.

  • Customer and Provider Details branch (Health Directories team), which handles issuer operations relating to the DVS.

  • Privacy and Secrecy branch (Legal Services team), responsible for preparing training and legal materials to support staff in meeting their privacy obligations. This area also fields privacy related complaints and oversees other privacy functions such as transitional arrangements under the reformed Privacy Act and the preparation of privacy impact assessments.

  • eHealth & Government to Business Systems Branch (Business Application Development team), which provides Information and Communications Technology (ICT) services to the DVS Hub Operations team.

  • Applications Services Engineering Branch (SOA Platform Engineering) to clarify the security measures and logging processes used by DHS.

Part 4 — Assessment issues

4.1 The following findings relate to the assessors’ consideration of DHS’s handling of personal information relevant to the security and collection of solicited personal information under the APPs in the Privacy Act.

4.2 The APPs are available at

APP 3 issues — Collection of solicited personal information

4.3 APP 3 states that agencies must not collect personal information unless the information is reasonably necessary for, or directly related to, one or more of the agency’s functions or activities (APP 3.1). Personal information must be collected by lawful and fair means (APP 3.5) and only directly from the individual, unless an exception applies (APP 3.6). In addition, the entity may only collect sensitive information if the individual consents to the collection, or an exception applies (APP 3.3).

Key points of APP 3

4.4 An entity collects personal information only if the information is collected for inclusion in a record or generally available publication:

  • Personal information means information or an opinion about an identified individual, or an individual who is reasonably identifiable, which may or may not be true and may or may not be in material form.

  • A record includesa document; an electronic or other device; but does not include a generally available publication; letters or other articles in the course of transmission by post; or other examples cited in s 6 of the Privacy Act.

4.5 An APP entity solicits personal information when it requests another entity to provide that information, or to provide a kind of information in which that personal information is included.

4.6 A request is an active step taken by an entity to collect personal information. This may include an arrangement for sharing or transferring information between APP entities.

4.7 For information to be directly related to one or more of the agency’s functions or activities, a clear and direct connection must exist between the personal information being collected and the agency function or activity.

4.8 Personal information reasonably necessary for a function or activity is information relevant to the primary purpose of collection. A collection based on the possibility that data may become necessary for a function or activity in the future would not be deemed reasonably necessary. Further, if the entity can undertake the function or activity by collecting a lesser amount of personal information, it must do so.

4.9 Functions or activities may include current functions, proposed functions and activities carried out in support of a function.

4.10 A collection is deemed lawful if it is not criminal, illegal, prohibited or proscribed by law. A fair means of collecting information does not involve intimidation or deception and is not unreasonably intrusive.

4.11 Information must be solicited from the individual directly unless:

  • it is unreasonable or impracticable to collect directly from the individual
  • the individual consents to the information being collected from someone other than themselves
  • the agency is required or authorised by or under Australian law, or court order or tribunal order to collect the information from someone other than the individual.

4.12 Sensitive information is defined in s 6 of the Act and does not include any of the categories of information collected by DHS in its role as an issuer agency.


Personal information flows in the DVS

4.13 The diagram below maps the flow of personal information arising from DHS’s participation as an issuer in the DVS.

The diagram below maps the flow of personal information arising from DHS's participation as an issuer in the DVS.

4.14 The diagram illustrates that personal information is sent by the user agency through the DVS Hub before it reaches the issuer agency. The Hub processes the information received from the user agency before passing it on to the issuer agency.

4.15 The following information is received by the Hub operator when a Medicare card verification request is made:

  • personal information including the individual’s full name, Medicare card number, card issue number, individual reference number (IRN) and card expiry date

  • user agency identifying information including the originating agency code (OAC) and time and date stamp detail. This information is associated with a unique Verification Request Number (VRN1).

Collection of agency identifying information by issuer agency DHS

4.16 Assessors noted that, in addition to the VRN1 (which contains user agency identifying information relevant to each request), the Hub operator also allocates a second Verification Request Number (known as VRN2) to each request received, which does not include any user agency identifying information.

4.17 The VRN1 is removed by the Hub operator before the request is assigned to the relevant issuer agency. Only the VRN2 (which does not contain user agency information) is retained in the request sent to the issuer agency.

4.18 The OAIC therefore considers that there is no collection of agency identifying information, solicited or unsolicited, being undertaken by DHS as an issuer agency. Further analysis of the subject is included in the ‘OAIC view’ section of this report.

Collection of personal information by issuer agency DHS

4.19 Personal information received by the Hub operator as part of a Medicare card verification request is necessarily retained in the message forwarded to DHS.

4.20 This is because it is the Medicare related identifying information of the individual which allows DHS to verify the authenticity of Medicare cards. Each additional information category provided through the DVS increases the likelihood that DHS will accurately verify a valid Medicare card against its records.

4.21 The collection of information by DHS therefore appears necessary and directly related to the functions and activities of DHS as the issuer of the Medicare card.

4.22 The information handling process used by DHS then proceeds as follows:

  • the Hub operator receives verification requests from user agencies in an MQ Series Point to Point format. DHS converts the messages it receives from the Hub operator to a Simple Object Access Protocol (SOAP) format

  • the Hub operator transmits data to DHS’s Enterprise Service Bus (ESB), where standard requests are processed. The ESB also acts as a gateway for all incoming web service calls

  • personal information is automatically processed and responses are returned back to the user agency via the DVS Hub operator, within a matter of seconds

  • processing returns a ‘Y’ (yes), ‘N’ (no) or ‘S’ (system error) response to the user

  • web service calls are only generated when an ‘S’ response is received, in which case the matter is referred internally to the Customer and Provider Details Branch for investigation.

4.23 Following its collection of personal information, DHS includes this information in its access log.

4.24 DHS stores this data in DHS’s Enterprise Data Warehouse (EDW). The information is delivered to EDW through a daily batch process that extracts access log table changes from the Operational System and loads into the EDW via mainframe datasets.

4.25 Access log use is restricted to incident management situations and log accesses are limited to approved SAS Portal users specific to the DVS program. DHS advised that there are currently ten approved DHS users, comprising DVS Hub Operations team members, EDW managers and SAS Portal managers.

4.26 DHS has no standard reporting requirements to AGD. The purpose of transferring personal information to its access logs is to:

  • trace back data received through the DVS to compare this information against the Medicare data already stored in DHS’s Medicare records, to investigate the cause of the system error response

  • facilitate internal audits of the access log data stored within the EDW, to verify the personal information is being accessed appropriately.

4.27 The OAIC therefore considers that DHS collects DVS related personal information as part of its role as an issuer, and stores it separately from the original Medicare data it holds. Further analysis of this APP 3 related issue is included in the ‘OAIC view’ section.

Collection of personal information as a result of manual verification

4.28 In some cases, DVS issuer agencies may agree to undertake manual verification of EOI data, where the automated DVS response has produced an unsatisfactory result for the user agency, or in the event of a system failure.

4.29 DHS’s Privacy Impact Assessment (PIA) dated 28 September 2011, entitled ‘Participation by DHS as an issuer agency in the Document Verification Service (DVS)’ identifies the practice of manual verification as a privacy risk and recommends that DHS should develop procedures to ensure that in the rare event of any manual handling of a verification request (to address an IT system failure):

  • personal information is protected; and
  • any records of personal information made for DVS rectification purposes are destroyed once the verification request is dealt with by (DHS).

4.30 The DVS Hub operations team acts as the main contact for enquiries from both user and issuer agencies involved in the DVS. However, the team advised assessors that it does not accept any manual verification requests from user agencies.

4.31 Furthermore, DHS as an issuer agency does not communicate directly with user agencies and does not conduct manual verifications by referral from the Hub operator.

4.32 The OAIC therefore considers that as DHS does not conduct manual verifications of DVS related data, it is not collecting any personal information for this purpose. Further analysis of the subject is included in the ‘OAIC view’ section of this report.

Collection of sensitive personal information

4.33 Assessors did not observe any collection of sensitive personal information by DHS as an issuer agency.

OAIC view

Agency identifying information

4.34 The assessors do not consider that DHS as an issuer agency is collecting agency identifying information or manually verifying DVS related information provided by users.

4.35 In the OAIC’s view, these actions exhibit an appropriate privacy approach in DHS’s collection of DVS related information when acting as an issuer, because:

  • the specific agency an individual has approached to use the issued EOI documents for the verification request remains confidential, given that DHS is unaware of the originating agency’s identity

  • DHS does not conduct manual verifications of DVS related data and is therefore less likely to modify, disclose or lose DVS related information as a result of human error.

Collection of solicited personal information

4.36 In its role as an issuer agency of the DVS, DHS collects personal information under a data sharing arrangement where personal information is transferred between user agencies and issuer agencies.

4.37 By participating in the DVS, an issuing agency is taking active steps to collect personal information. Specifically, DHS is inviting user entities to provide it with personal information for identity verification purposes.

4.38 Assessors are therefore of the view that DHS’s collection of personal information when discharging its DVS functions, is a solicited one.

Purpose of personal information collections

4.39 The assessors consider that in its role as an issuer, DHS collects personal information for investigative and audit purposes.

4.40 Where a successful verification occurs, the personal information received by DHS will be identical to the data it already holds for the individual. An unsuccessful verification may result from a non-match of personal data provided in the DVS request with existing Medicare data holdings, or due to a system error.

4.41 Regardless of whether the verification is successful or not, a record is created by (and stored within) DHS’s access logs for the transaction.

4.42 The OAIC is of the view that the collection of personal information for verification, investigative and audit purposes is directly related to the agency’s DVS related functions and activities.

Requirement to collect personal information directly from the individual

4.43 Assessors observed that DHS does not collect personal information directly from individuals, as the personal information it receives is provided by relevant user agencies through the DVS Hub.

4.44 In its PIA of the DVS issued in June 2007, AGD advised that DVS use by user agencies will only occur with the consent of the individual concerned. Further, consent obtained by the user agency amounts to consent for the DVS transaction in its entirety. For the user agency, individual consent to verify EOI will therefore be express. Issuer agencies such as DHS will not practically be able to request an individual’s express consent, but can imply consent from the requirement that user agencies obtain consent to the transaction as a whole.

4.45 Therefore, given that:

  • individuals provide their consent to have their information collected as part of the DVS transaction
  • it is impracticable to require issuer agencies to collect this information directly from the individual as part of the DVS transaction

the OAIC considers that DHS is exempt from the requirement to collect solicited information directly from the individual under both APP 3.6(a)(i) and (b) in this instance.

Collection by lawful and fair means

4.46 Following its observation of DHS’s collection processes, the assessment team considers that DHS is collecting personal information by lawful means.

4.47 In addition, given that individuals provide their consent to the DVS transaction prior to collection occurring, assessors are of the view that personal information is being collected by fair means, as the transaction does not involve intimidation or deception and is not unreasonably intrusive.

4.48 The OAIC considers that in its role as an issuer, DHS collects DVS related personal information in accordance with its APP 3 obligations. The OAIC makes no privacy recommendations in relation to this aspect of the assessment.

APP 11 issues — Security of personal information

4.49 APP 11 states that entities that hold personal information must take steps that are reasonable in the circumstances to protect the personal information from misuse, interference and loss; and from unauthorised access, modification or disclosure. APP 11 also requires APP entities to take reasonable steps to destroy or de-identify personal information they are no longer using, unless the data is contained in a Commonwealth record.

Key points of APP 11

4.50 An APP entity holds personal information when its relationship with the data it acquires extends beyond physical possession to include the right or power to deal with the record.

4.51 What constitutes reasonable steps will depend upon circumstances that include the amount and sensitivity of personal information held; the nature of the entity; possible adverse consequences to individuals; entity’s information handling practices and whether a security measure is itself privacy invasive.

4.52 The meaning of misuse includes use by an APP entity for a purpose that is not permitted by the Privacy Act. APP 6 discusses permitted uses in more detail.

4.53 Interference occurs where there is an attack on the personal information held by an APP entity that interferes with the data but does not necessarily modify its content.

4.54 Loss covers the accidental or inadvertent loss of personal data held by an APP entity, but does not apply to intentional destruction or de-identification under the APPs.

4.55 Unauthorised access occurs when the personal information that an APP entity holds is accessed by someone not permitted to do so, including an employee of the entity.

4.56 Unauthorised modification occurs when personal information that an APP entity holds is altered by someone who is not permitted to do so, or is altered in a way that is not permitted under the Privacy Act.

4.57 Unauthorised disclosure occurs when an APP entity releases the subsequent handling of that personal information from its effective control in a way that is not permitted under the APPs, including unauthorised disclosure by entity employees.

4.58 Where an APP entity no longer needs personal information for any purpose for which the information may be used or disclosed under the APPs, the entity must take reasonable steps to destroy the information or ensure it is de-identified, unless certain exceptions apply. Relevantly, one of these exceptions is where the personal information is part of a Commonwealth record.


Physical security

4.59 The physical security of records is not a primary focus in a system such as the DVS, as all personal information is transmitted and stored in an electronic format.

4.60 However, assessors note that general physical security measures assist in preventing unauthorised access, modification or disclosure of personal information by third party visitors to DHS’s physical premises.

4.61 Assessors observed that there were appropriate sign-in/sign-off processes and visitor badge identifications for visitors to both the Louisa Lawson building and the Main Office of DHS.

4.62 Assessors were escorted at all times by DHS staff while on the DHS premises.

Electronic security - misuse

4.63 Assessors observed that personal information collected through the DVS by DHS as an issuer agency is only used for the following purposes:

  • to verify against Medicare card records held on an individual, and provide a DVS response category (that is ‘Y’, ‘N’ or ‘S’)
  • to facilitate internal access log audits of this information.

4.64 Assessors did not observe any unauthorised uses of DVS related personal information by DHS in its role as an issuer.

Electronic security — interference

4.65 The DVS is designed to circumvent direct exchanges of data between user entities and issuer agencies. Instead, the existence of the Hub operator minimises the risk of user entities interfering with issuer data or systems, by acting as a conduit between them.

4.66 The Hub operations team advised assessors that the channel between the Hub operator and DHS’s Medicare systems remains open. However, this does not create any risk of external interference, as all relevant systems are housed within the broader DHS systems framework.

4.67 DHS’s systems are protected from external attack by three layers of security, which are managed at the Enterprise Service Bus (ESB) level. These include:

  • front end security — DHS only accepts requests originating from a business partner URL or IP address

  • core messaging standards — user agencies are required to use an appropriate digital signature when providing data to DHS. This authenticates the identity of the message sender and ensures there has been no interference with or modification of the message in transit. The requester must also use a trusted certificate, such as a Public Key Infrastructure (PKI) certificate. Header elements of the certificate include product use, subject and user details, while the message body contains payload data (that is Medicare card details needed for verification). Note that user agency identity is not disclosed at the issuer end of this transaction

  • Transport Layer Security (TLS) — TLS uses cryptographic protocols, which are designed to provide communication security by encrypting data flows between the communicating parties. Interference or interception of this information will generally fail to provide the attacker with any valid information. However, TLS use may be vulnerable to man-in-the-middle (MITM) attacks unless a two-way (mutual) authentication method is being used. DHS’s ‘Web Services standards’ document states that its TLS is mutually authenticated.

Electronic security — loss

4.68 Information is transmitted from user agencies to the Hub operator using an MQ Series Point to Point format and is relayed from the Hub operator to DHS’s issuer agency system using a Simple Object Access Protocol (SOAP) format.

4.69 SOAP is a message-level protocol for web services, recommended for use by the World Wide Web Consortium (W3C). W3C describes SOAP as a ‘lightweight protocol for exchange of information in a decentralized, distributed environment’.

4.70 DHS’s ‘Web Services standards’ document states that SOAP allows the use of many alternative transports for message exchange and allows both synchronous and asynchronous message transfer and processing.

4.71 In addition, Message Queue provides a utility which can send and receive SOAP messages, so there is a limited risk of data being lost in transit due to protocol incompatibility.

Electronic security — unauthorised access, modification or disclosure

4.72 Assessors noted that responsibility for various aspects of the DVS are distributed across distinct DHS areas such as the Hub operator, the ESB, the Customer and Provider Details branch and the EDW. Accesses to DVS data relating to each role are confined to staff within the relevant area.

4.73 Cross-area accesses can only be obtained by specific request. Assessors were only aware of the Hub operator team requesting extended accesses for the purpose of fulfilling its role as main DVS contact for DHS.

4.74 One of DHS’s purposes for including payload data (that is DVS related personal information) in its access log is to monitor internal accesses of this information and ensure these data accesses are authorised.

4.75 DHS does not conduct manual verifications of DVS related data and is therefore less likely to modify, disclose or lose DVS related information as a result of human error.

4.76 The three layers of security outlined under the ‘electronic security — interference’ section of this report also protect against unauthorised modifications of message data transmitted between user entities and DHS as an issuer agency.

4.77 In addition to the above measures, the Services Schedule outlines the information security measures that DHS has agreed to implement at a minimum, as part of this arrangement. These measures include:

  • complying with the Information Security Manual (ISM) and the Protective Security Policy Framework (PSPF)
  • restricting use of DVS technical components, including the DVS Hub, to authorised personnel
  • ensuring that interfaces do not allow DVS Hub messages to be retrieved or reviewed outside the DVS
  • ascertaining that the use of DVS technical components (including access to the DVS) does not
    • permit unauthorised access to technical components, systems or software
    • disable, damage or disrupt technical components, systems or software
  • regular training and awareness programs for staff on social engineering risks (that is, tricking someone into giving out data, such as a password) and their mitigations
  • regular process reviews conducted to ensure appropriate measures are in place to minimise or reduce risks to the DVS.
Destruction and de-identification requirements

4.78 In response to assessors asking how long DHS as an issuer agency retains DVS related personal information in the EDW, DHS advised:

‘This can be answered from two perspectives. The first is that data is stored in accordance with any relevant Records Management authorities. The second relates to the philosophy of Enterprise Data Warehouses in general, in that data is usually not deleted, and that is the case with this.’

4.79 The requirements for de-identifying and destroying information that is no longer required are explicit under APP 11. Specifically, APP 11.2 states that an APP entity must take reasonable steps to destroy personal information or ensure it is de-identified if the entity no longer needs the information.

4.80 However, the requirement to take reasonable steps to destroy or de-identify under APP 11.2 does not apply if personal information is contained in a Commonwealth record, or if an Australian law or a court/tribunal requires it to be retained.

4.81 Personal information records collected by an agency are likely to be Commonwealth records for the purposes of the Archives Act.

4.82 Assessors note, however, that it is good privacy practice to only hold personal information for as long as is necessary. Personal information should be destroyed as soon as it can be, in accordance with the Archives Act.

Staff awareness of privacy obligations

4.83 The Privacy and Secrecy branch is responsible for preparing and delivering privacy training and other privacy awareness material to all DHS staff.

4.84 Assessors were advised there is no DVS-specific training material being provided to the DHS in its role as an issuer agency. However, staff training materials specifically targeting the APPs have been delivered through DHS’s online portal.

4.85 The training module was published on the portal on 27 March 2014 and was brought to staff’s attention through a range of internal communications, including emails and announcements from Leadership regarding the operation of the new reforms and intranet updates as the implementation date approached.

4.86 The training is an interactive e-learning module, consisting of an outline of the APPs, as well as practical scenarios, to be completed by the staff member.

4.87 In addition to this training, staff are given induction training which includes a privacy component. A series of privacy-related factsheets are also available on the intranet.

4.88 DHS advised that all privacy related online training is compulsory and completion is recorded in its SAP Essentials system. Further, staff training is reviewed every 12 months.

4.89 All DHS staff are also required to sign a declaration of confidentiality, which is attached to DHS’s ‘Staff Privacy and Confidentiality Guidelines and Declaration’.

4.90 Assessors are unaware of any required sign-off process by staff after privacy-related training has been completed.

Privacy complaints

4.91 The Privacy and Secrecy branch is also responsible for the handling of DVS related privacy complaints. They advised the assessors that they have not received any DVS related individual complaints to date.

OAIC view

4.92 Within the scope of this assessment, assessors observed that the security steps implemented by DHS were reasonable in the circumstances.

4.93 Further, assessors did not consider that there were any specific privacy risks raised by the security measures that DHS currently has in place.

4.94 While destruction and de-identification requirements do not apply to Commonwealth records, DHS should be aware of its record disposal obligations and destroy personal information as soon as it can, in accordance with the Archives Act.

4.95 Assessors are of the opinion that DHS generally has appropriate privacy related training and awareness programs for staff. However, DHS may also wish to consider developing DVS specific privacy training for participating staff.

4.96 The assessors recognise that there have been no privacy complaints relating to DHS’s participation in the DVS and consider that this positively reflects on DHS’s current privacy practices.

Appendix A — Documents obtained from DHS


  • Medicare DVS Issuer (CDRI) TRA
  • Privacy Impact Assessment: Participation by DHS as an Issuer Agency in the Document Verification Service (DVS)(28 September 2011)
  • DHS DVS Hub Logical view
  • DVS Business Case: The Document Verification Service: Participation as an Issuer Agency
  • Business Requirement Statement: New Issuer Connection — Medicare Card
  • DVS Hub to MCA High Level Architecture document
  • Services Schedule for Medicare as an Issuer
  • Taskcard: Raising an issue or problem for Medicare as a DVS issuer
  • Consumer Directory Repository (CDR) Service system interface specifications (SIS) Verify Medicare Card Service
  • Staff Privacy and Confidentiality Guidelines and Declaration.

During and post-fieldwork

  • DVS test access log
  • Medicare mini organisational chart
  • EDW sample access log
  • DHS External Web Services Profile
  • Training Plan — Introduction to the Australian Privacy Principles.


[1] DVS access page, DVS website — viewed 26 March 2014

[2] Media Release dated 5 March 2014 entitled ‘Oakton signs four year managed services engagement for Document Verification Service with Commonwealth Attorney General’s Department’ (PDF).